Rails 3.1 attr_accessible verification receives an array of roles

I would like to use rails new dynamic attr_accessible feature. However each of my user has many roles (i am using declarative authorization). So i have the following in my model:

class Student < ActiveRecord::Base

attr_accessible :first_name, :as=> :admin

end

and i pass this in my controller:

@student.update_attributes(params[:student], :as => user_roles)

user_roles is an array of symbols:

   user_roles = [:admin, :employee]

I would like my model to check if one of the symbols in the array matches with the declared attr_accessible. Therefore I avoid any duplication.

For example, given that user_roles =[:admin, :employee]. This works:

@student.update_attributes(params[:student], :as => user_roles.first)

but it is useless if I can only verify one role or symbol because all my users have many roles.

Any help would be greatly appreciated

***************UPDATE************************

You can download an example app here: https://github.com/jalagra开发者_运维百科nge/roles_test_app

There are 2 examples in this app: Students in which y cannot update any attributes, despite the fact that 'user_roles = [:admin, :student]'; And People in which I can change only the first name because i am using "user_roles.first" in the controller update action. Hope this helps. Im sure somebody else must have this issue.

You can monkey-patch ActiveModel's mass assignment module as follows:

# in config/initializers/mass_assignment_security.rb

module ActiveModel::MassAssignmentSecurity::ClassMethods

  def accessible_attributes(roles = :default)
    whitelist = ActiveModel::MassAssignmentSecurity::WhiteList.new
    Array.wrap(roles).inject(whitelist) do |allowed_attrs, role|
      allowed_attrs + accessible_attributes_configs[role].to_a
    end
  end

end

That way, you can pass an array as the :as option to update_attributes

Note that this probably breaks if accessible_attrs_configs contains a BlackList (from using attr_protected)